Flagstar Bank sued over its latest massive data breach

Flagstar Bank is facing three class action suits from customers alleging negligence and violation of state data protection laws, among other counts, from a December hack affecting over 1.5 million users.

Plaintiffs Allie McLaughlin, Scott Temple and Thomas Cowan, and John Scott Smith filed the separate lawsuits over the past two weeks in the Eastern District of Michigan United States District Court shortly after Flagstar revealed a two-day cyberattack in December that impacted 1,547,169 customers. The incident involved customers’ personally identifiable .rmation including Social Security numbers, the bank disclosed. 

Two of the lawsuits list amounts in controversy exceeding $5 million. Affected customers criticized Flagstar’s brief breach disclosures and cyberdefenses after the bank was a victim of a similarly massive attack in 2020.

“Flagstar’s failure to learn from its previous December 2020 data breach demonstrates its nonchalant approach to cybersecurity and its institutional disregard for consumer data protection,” an attorney wrote on behalf of McLaughlin, a Pasco, Washington resident who obtained a mortgage from the bank in March 2020.

A representative for the company Friday declined to comment on pending litigation.

The Troy, Michigan-based lender was ensnared in the 2020 data breach at Accellion, a provider of software used to secure sensitive content. That hack impacted dozens of Accellion clients including 1,465,002 Flagstar customers, according to the firm’s disclosure last March with the Office of the Maine Attorney General.

Flagstar customers impacted by the Accellion hack filed federal class action complaints last year and details surrounding a settlement are still being worked out in a California federal court.

The new trio of complaints relay similar criticisms about the bank’s disclosure that came six months after the incident, which did not detail how the breach occurred nor who was responsible. The suits also take issue with the company’s assurances that no affected customer PII was misused, since they were unaware their PII was compromised in the Flagstar incident for almost half a year.

Smith, a resident of National City, California near San Diego, said he was a victim of at least two incidents involving his stolen PII since May. He obtained a mortgage in 2011 from Flagstar for a home in Bonita, California and sold the home in 2021, making his last payment to the bank in February of last year and claimed the firm retained his .rmation. 

In May, Smith realized a fraudulent $5K check was negotiated from his account to an unknown third party, and was advised by his unnamed bank to shut down his accounts including checking, savings and college funds. A week later, an unknown person accessed Smith’s account and made payments to unfamiliar credit cards, the suit said. A few weeks prior, someone had tried to negotiate a larger undisclosed sum from the account which was rejected over insufficient funds.

Temple, a Utah resident, and Cowan, a California resident, only said they’d received financial or mortgage-related services and didn’t identify a specific incident involving their compromised PII. 

The Flagstar lawsuits are the latest litigation from customers impacted by recent, large data breaches at mortgage firms. One of the 85,958 users affected by a cyberattack last fall at fintech lender Lower sued the company Monday over similar charges. Two servicers, subsidiaries of Florida-based Bayview Asset Management, face two class action complaints over a data breach last fall affecting over 2.6 million borrowers.